Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

khamel83/secrets

Name: secrets
Author: khamel83

.claude/skills/secrets/SKILL.md

npx skillsauth add khamel83/oneshot secrets

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

/secrets — SOPS/Age Secret Management

Manage encrypted secrets between the master vault and projects.

Master Vault

Location: ~/github/oneshot/secrets/ Encryption: SOPS + Age (config in ~/github/oneshot/.sops.yaml)

CLI Commands

The secrets CLI (at ~/.local/bin/secrets) works from any directory.

# Read a single key
secrets get EXA_API_KEY

# List all vault files and their keys
secrets list

# Decrypt a full file to stdout
secrets decrypt research_keys

# Add/update a key (non-interactive, no commit)
secrets set research_keys 'NEW_KEY=value'

# Add/update + commit + push
secrets set research_keys 'NEW_KEY=value' --commit

# Bootstrap .env in a project from the vault
cd ~/github/myproject && secrets init services

Pull Secrets into a Project

Identify which secrets the project needs (check .env.example or imports)
Run secrets init <namespace> to write .env from the vault
Verify the app can start with the new secrets

Push New Secrets to the Vault

Add/update: secrets set <namespace> 'KEY=value'
Commit when ready: secrets set <namespace> 'KEY=value' --commit

Common Patterns

# Find which vault file contains a key
secrets list | grep -i brave

# Extract a key for use in a script
BRAVE_KEY=$(secrets get BRAVE_API_KEY)

# View all keys in a namespace
secrets decrypt research_keys

How It Works

Vault files are SOPS-encrypted dotenv at ~/github/oneshot/secrets/*.encrypted
secrets get searches all vault files for the key
secrets set decrypts the file, merges the new key, re-encrypts
secrets init decrypts a vault file to .env in the current directory
Age key lives at ~/.age/key.txt

Safety Rules

Never display secret values in output
Always verify .env is in .gitignore before writing
Namespace secrets by project in the vault
Never commit plaintext secrets
Never suggest .env files without encryption

Troubleshooting

| Problem | Fix | |---------|-----| | no matching creation rules found | Input file must end in .encrypted (handled by the CLI automatically) | | key not found in any vault file | Key doesn't exist in any vault — add it with secrets set | | file not found | Check secrets list for available namespaces |

khamel83/secrets

.claude/skills/secrets/SKILL.md

Manage encrypted secrets between the master vault and projects using SOPS/Age.

tools

Updated Apr 16, 2026

$ install --global

skillsauth

npx skillsauth add khamel83/oneshot secrets

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 16, 2026, 6:49 AM4.3s1 file scanned

SKILL.md

name:: secrets
description:: Manage encrypted secrets between the master vault and projects using SOPS/Age.

/secrets — SOPS/Age Secret Management

Manage encrypted secrets between the master vault and projects.

Master Vault

Location: ~/github/oneshot/secrets/ Encryption: SOPS + Age (config in ~/github/oneshot/.sops.yaml)

CLI Commands

The secrets CLI (at ~/.local/bin/secrets) works from any directory.

# Read a single key
secrets get EXA_API_KEY

# List all vault files and their keys
secrets list

# Decrypt a full file to stdout
secrets decrypt research_keys

# Add/update a key (non-interactive, no commit)
secrets set research_keys 'NEW_KEY=value'

# Add/update + commit + push
secrets set research_keys 'NEW_KEY=value' --commit

# Bootstrap .env in a project from the vault
cd ~/github/myproject && secrets init services

Pull Secrets into a Project

Identify which secrets the project needs (check .env.example or imports)
Run secrets init <namespace> to write .env from the vault
Verify the app can start with the new secrets

Push New Secrets to the Vault

Add/update: secrets set <namespace> 'KEY=value'
Commit when ready: secrets set <namespace> 'KEY=value' --commit

Common Patterns

# Find which vault file contains a key
secrets list | grep -i brave

# Extract a key for use in a script
BRAVE_KEY=$(secrets get BRAVE_API_KEY)

# View all keys in a namespace
secrets decrypt research_keys

How It Works

Vault files are SOPS-encrypted dotenv at ~/github/oneshot/secrets/*.encrypted
secrets get searches all vault files for the key
secrets set decrypts the file, merges the new key, re-encrypts
secrets init decrypts a vault file to .env in the current directory
Age key lives at ~/.age/key.txt

Safety Rules

Never display secret values in output
Always verify .env is in .gitignore before writing
Namespace secrets by project in the vault
Never commit plaintext secrets
Never suggest .env files without encryption

Troubleshooting

Related Skills

khamel83/vision

development

VerifiedTrustedCommunity

Smart visual analysis for websites and images using Playwright screenshots and AI vision.

SKILL.mdUpdated Apr 16, 2026

khamel83/.claude/skills/tdd

development

VerifiedTrustedCommunity

--- name: tdd description: Test-driven development with mandatory RED-GREEN-REFACTOR cycle. Enforces writing failing tests before production code. Use when implementing new features, fixing bugs with test coverage, or when the user wants TDD discipline. Trigger keywords: tdd, test first, test driven, red green refactor, add tests, coverage, write a test, failing test. --- # /tdd — Test-Driven Development RED-GREEN-REFACTOR cycle. No production code without a failing test shown first. ## Usage

SKILL.mdUpdated Apr 16, 2026

khamel83/.claude/skills/tdd

khamel83/short

tools

VerifiedTrustedCommunity

Quick iterations on existing projects. Load context, ask what's next, execute in burn-down mode.

SKILL.mdUpdated Apr 16, 2026

khamel83/restore

documentation

VerifiedTrustedCommunity

Restore context from a handoff document and continue work.

SKILL.mdUpdated Apr 16, 2026

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/khamel83/oneshot.git

# Copy into Claude Code skills folder (global)
cp -r oneshot/.claude/skills/secrets ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

khamel83/oneshot

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT